In recent years, Internet access environments have been well developed, and environments which facilitate providing home electric appliances with connectivity to a network (e.g., the lower costs and improved capabilities of devices for networking) have been being developed. At the same time, there has been growing emphasis on copyright protection techniques for protecting content to be transmitted from unauthorized copying, unauthorized interception, and unauthorized tampering. Digital Transmission Content Protection (DTCP) was developed as a copyright protection technique for AV content to be transmitted over an IEEE1394 serial bus and has been deployed on the Internet Protocol (IP) as an extension of the technique (see DTCP Volume 1 Supplement E Mapping DTCP to IP (Informational Version), Revision 1.0, Nov. 24, 2003).
FIGS. 8 and 9 are an example of a functional block diagram of a transmitter and an example of a functional diagram of a receiver, respectively, in a conventional DTCP-IP-based transmission system using the HTTP protocol (under which a connection is established between a server and a client, and data is exchanged between them in the form of a request from the client and a response of the server to the request).
A transmitter 800 in FIG. 8 comprises a certificate and key holding unit 801, an exchange key creation unit 802, an authentication and key exchange unit 803, an update information creation and updating unit 804, a copy control information management unit 805, a content key calculation unit 806, a content accumulation unit 807, a content encryption unit 808, a content packet creation unit 809, a content packet transmission unit 810, and an HTTP protocol unit 811.
The certificate and key holding unit 801 holds a pair of keys (a public key and a private key) of a public key cryptosystem and a certificate.
The exchange key creation unit 802 generates an exchange key (Kx) used to calculate a content key (Kc) for content encryption.
The authentication and key exchange unit 803 accepts an authentication request from a receiver and verifies, through authentication, whether the receiver is an authorized device. In the authentication, a method for performing challenge-response authentication using pairs of keys (public keys and private keys) of the public key cryptosystem and certificates respectively held by the transmitter and receiver is used. During the authentication, an authentication key (Kauth) becomes shared between the transmitter and the receiver. After the authentication, an exchange key (Kx) created by the exchange key creation unit 802 is passed to the receiver using the shared authentication key (Kauth). The series of processes from authentication to key acquisition is performed by the authentication and key exchange unit 803.
The update information creation and updating unit 804 newly creates or updates update information (Nc). The creation refers to, e.g., creating new update information (Nc) by random number generation or the like, and the updating refers to, e.g., adding 1 to the current value of update information (Nc). Update information (Nc) is created upon establishment of a TCP connection. The updating is performed according to a predetermined rule. An example of the predetermined rule is to perform updating with each pair of an HTTP request and response over a single TCP connection. The rule is not the focus of the present invention, and an explanation thereof will be omitted. Update information (Nc) created or updated by the update information creation and updating unit 804 is used to calculate a content key (Kc) by a predetermined rule for maintenance of content protection. The update information (Nc) is attached to a content component encrypted with the content key (Kc) and passed to a receiver.
The copy control information management unit 805 manages an encryption mode used for content which indicates the details of management for the content (e.g., Copy Never or Copy Once) as copy control information (E_EMI). Copy control information (E_EMI) is used to calculate a content key (Kc), attached to a content component encrypted with the calculated content key (Kc), and passed to a receiver.
The content key calculation unit 806 calculates a content key (Kc) from an exchange key (Kx) created by the exchange key creation unit 802, update information (Nc) created or updated by the update information creation and updating unit 804, copy control information (E_EMI) managed by the copy control information management unit 805, and the like, using a one-way function.
The content accumulation unit 807 stores various types of content serving as objects to be delivered.
The content encryption unit 808 encrypts a content component to be delivered using a content key (Kc) calculated by the content key calculation unit 806.
The content packet creation unit 809 creates a content packet formed by attaching update information (Nc) created or updated by the update information creation and updating unit 804 and copy control information (E_EMI) managed by the copy control information management unit 805 to a content component encrypted by the content encryption unit 808.
The content packet transmission unit 810 transmits a content packet created by the content packet creation unit 809.
The HTTP protocol unit 811 performs HTTP server processing, i.e., receives and analyzes an HTTP request and creates and sends an HTTP response. A content packet created by the content packet creation unit 809 is transmitted as the body of an HTTP response to an HTTP GET request from the transmitter.
A receiver 900 in FIG. 9 comprises a certificate and key holding unit 901, an authentication and key exchange unit 902, an update information storage unit 903, a copy control information storage unit 904, a content key calculation unit 905, a content utilization unit 906, a content decryption unit 907, a content packet analysis unit 908, a content packet reception unit 909, and an HTTP protocol unit 910.
The certificate and key holding unit 901 holds a pair of keys (a public key and a private key) of the public key cryptosystem and a certificate.
The authentication and key exchange unit 902 makes an authentication request at a predetermined time. During authentication, an authentication key (Kauth) becomes shared between a transmitter and the receiver. After the authentication, the authentication and key exchange unit 902 receives an exchange key (Kx) encrypted using the shared authentication key (Kauth) from the transmitter and decrypts the exchange key (Kx).
The update information storage unit 903 stores update information (Nc) attached to an encrypted content component received from a transmitter.
The copy control information storage unit 904 stores copy control information (E_EMI) attached to an encrypted content component.
The content key calculation unit 905 calculates a content key (Kc) from an exchange key (Kx) in the authentication and key exchange unit 902 passed from a transmitter, update information (Nc) stored in the update information storage unit 903, copy control information (E_EMI) stored in the copy control information storage unit 904, and the like, using a one-way function.
The content utilization unit 906 utilizes a decrypted content component by, e.g., playing back or recording the content component according to copy control information (E_EMI) stored in the copy control information storage unit 904.
The content decryption unit 907 decrypts an encrypted content component using a content key (Kc) calculated by the content key calculation unit 905.
The content packet analysis unit 908 separates, from an encrypted content component, update information (Nc) and copy control information (E_EMI) attached thereto and passes the pieces of information to the update information storage unit 903 and copy control information storage unit 904, respectively.
The content packet reception unit 909 receives a content packet.
The HTTP protocol unit 910 performs HTTP client processing, i.e., creates and transmits an HTTP request and receives and analyzes an HTTP response.
FIG. 10 shows a cryptographic communication protocol procedure in the conventional transmission system comprising the transmitter 800 shown in FIG. 8 and the receiver 900 shown in FIG. 9.
A conventional cryptographic communication protocol procedure will be explained below using FIG. 10.
(1001) An authentication key (Kauth) becomes shared through an authentication process between the transmitter 800 and the receiver 900. An authentication key (Kauth) is discarded after one-time authentication.
(1002) The transmitter 800 generates an exchange key (Kx).
(1003) The transmitter 800 encrypts the exchange key (Kx) with the authentication key (Kauth) (to produce Ksx) and transmits Ksx to the receiver 900.
(1004) The receiver 900 decrypts Ksx received with the authentication key (Kauth) and obtains the exchange key (Kx).
(1005) A content request using an HTTP GET request is transmitted from the receiver 900 to the transmitter 800.
(1006) The transmitter 800 generates update information (Nc).
(1007) The transmitter 800 learns of copy control information (E_EMI) for content requested by the receiver 900.
(1008) The transmitter 800 calculates a content key (Kc) using the exchange key (Kx), update information (Nc), and copy control information (E_EMI) as input parameters and using a one-way function.
(1009) The transmitter 800 encrypts the content requested by the receiver 900 with the content key (Kc).
(1010) The transmitter 800 attaches the update information (Nc) and copy control information (E_EMI) to the encrypted content component and transmits the resultant to the receiver as the body of an HTTP GET response.
(1011) The receiver 900 acquires the update information (Nc) from the received response.
(1012) The receiver 900 also acquires the copy control information (E_EMI) from the received response.
(1013) The receiver 900 calculates the content key (Kc) using the exchange key (Kx), update information (Nc), and copy control information (E_EMI) as input parameters and using a one-way function.
(1014) The receiver 900 decrypts the encrypted content component with the content key (Kc).
With the series of steps described above of the protocol procedure, the common exchange key (Kx) (1080, 1090); the update information (Nc) (1081, 1091) and copy control information (E_EMI) (1082, 1092) attached to the content component become shared between the transmitter 800 and the receiver 900. Only the authorized receiver can correctly decrypt the encrypted content component using these parameters.
Although a mechanism for content protection by cryptographic communication between parties concerned sharing an exchange key is established in a conventional system, the characteristics of an IP network to which an indefinite number of devices are connected may cause an authentication problem, the problem of “from whom a content component is transmitted.”
More specifically, when a receiver requests content and receives a content, it has no way of verifying whether the received content is an authorized content from an authorized transmitter serving as a destination of request. For example, even if an attacker monitors an IP network, records (caches) an encrypted content component flowing through the IP network, and responds to a request from a receiver using the recorded content component while masquerading as an authorized transmitter, the receiver cannot discern the masquerade.
FIG. 11 shows a chart for explaining a problem in the network configuration of the conventional transmission system. A case which poses a problem will be explained below using FIG. 11.
The transmitter 800 and receiver 900 are devices sharing an exchange key and authorized to perform cryptographic communication. Between the transmitter 800 and the receiver 900, an encrypted content component (1112) with accompanying information is transmitted in response to a content request (1111) from the receiver 900.
An unauthorized device 1100 connected on a network can monitor and record an HTTP request and HTTP response flowing on a bus (1113). Although the unauthorized device 1100 itself cannot utilize a content by, e.g., decrypting and viewing the content, afterward it can, for example, hook an HTTP request from the receiver 900 to the transmitter 800 (1114) and fraudulently substitutes the previously recorded content for the content to be received by the receiver 900 and transmits it while masquerading as the authorized transmitter 800 (1115).
At this time, the receiver 900 cannot determine whether the substituted and transmitted content is an authorized content transmitted from the authorized transmitter 800 or a content transmitted from the unauthorized device 1100. Accordingly, the receiver 900 lets a user utilize the substituted and transmitted content.
The present invention has been made to solve the above-described conventional problem and as its object, provide an authorized content verification method, content transmission and reception system, transmitter, receiver, and the like which can determine whether received content is authorized content.